diff options
| -rw-r--r-- | apt-private/private-update.cc | 10 | ||||
| -rw-r--r-- | test/integration/framework | 2 | ||||
| -rwxr-xr-x | test/integration/test-apt-get-update-sourceslist-warning | 13 |
3 files changed, 22 insertions, 3 deletions
diff --git a/apt-private/private-update.cc b/apt-private/private-update.cc index 694480a96..d5faf5d2f 100644 --- a/apt-private/private-update.cc +++ b/apt-private/private-update.cc @@ -106,15 +106,23 @@ bool DoUpdate() if (_config->FindB("APT::Get::Update::SourceListWarnings::SignedBy", SLWarnings)) { + bool allDeb822 = true; for (auto *S : *List) { - if (not S->HasFlag(metaIndex::Flag::DEB822) || not S->GetSignedBy().empty()) + if (not S->GetSignedBy().empty()) continue; URI uri(S->GetURI()); // TRANSLATOR: the first is manpage reference, the last the URI from a sources.list _error->Notice(_("Missing Signed-By in the %s entry for '%s'"), "sources.list(5)", URI::ArchiveOnly(uri).c_str()); + allDeb822 &= S->HasFlag(metaIndex::Flag::DEB822); + } + if (not allDeb822) + { + _error->Notice(_("Consider migrating all sources.list(5) entries to the deb822 .sources format")); + _error->Notice(_("The deb822 .sources format supports both embedded as well as external OpenPGP keys")); + _error->Notice(_("See apt-secure(7) for best practices in configuring repository signing.")); } } diff --git a/test/integration/framework b/test/integration/framework index 7c1b31ca2..3784ece06 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -580,6 +580,8 @@ EOF echo 'APT::Machine-ID "912e43bd1c1d4ba481f9f8ccab25f9ee";' > rootdir/etc/apt/apt.conf.d/machine-id + echo "APT::Get::Update::SourceListWarnings::SignedBy \"false\";" >> rootdir/etc/apt/apt.conf.d/signed-by + configcompression '.' 'gz' #'bz2' 'lzma' 'xz' confighashes 'SHA256' # these are tests, not security best-practices diff --git a/test/integration/test-apt-get-update-sourceslist-warning b/test/integration/test-apt-get-update-sourceslist-warning index 115dd3e16..652f9f49f 100755 --- a/test/integration/test-apt-get-update-sourceslist-warning +++ b/test/integration/test-apt-get-update-sourceslist-warning @@ -8,6 +8,7 @@ setupenvironment configarchitecture 'amd64' setupaptarchive --no-update +rm rootdir/etc/apt/apt.conf.d/signed-by testsuccess apt update testsuccess apt update --no-download @@ -44,7 +45,15 @@ rm rootdir/etc/apt/sources.list.d/example.sources msgmsg 'Detect login info embedded in sources.list' echo 'deb http://apt:debian@example.org/debian bookworm main' > rootdir/etc/apt/sources.list.d/example.list testsuccessequal "$BOILERPLATE -N: Usage of apt_auth.conf(5) should be preferred over embedding login information directly in the sources.list(5) entry for 'http://example.org/debian'" apt update --no-download +N: Usage of apt_auth.conf(5) should be preferred over embedding login information directly in the sources.list(5) entry for 'http://example.org/debian' +N: Missing Signed-By in the sources.list(5) entry for 'http://example.org/debian' +N: Consider migrating all sources.list(5) entries to the deb822 .sources format +N: The deb822 .sources format supports both embedded as well as external OpenPGP keys +N: See apt-secure(7) for best practices in configuring repository signing." apt update --no-download echo 'deb tor+https://apt:debian@example.org/debian bookworm main' > rootdir/etc/apt/sources.list.d/example.list testsuccessequal "$BOILERPLATE -N: Usage of apt_auth.conf(5) should be preferred over embedding login information directly in the sources.list(5) entry for 'tor+https://example.org/debian'" apt update --no-download +N: Usage of apt_auth.conf(5) should be preferred over embedding login information directly in the sources.list(5) entry for 'tor+https://example.org/debian' +N: Missing Signed-By in the sources.list(5) entry for 'tor+https://example.org/debian' +N: Consider migrating all sources.list(5) entries to the deb822 .sources format +N: The deb822 .sources format supports both embedded as well as external OpenPGP keys +N: See apt-secure(7) for best practices in configuring repository signing." apt update --no-download |
